funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Security Vendor Bypasses Microsoft's Vista PatchGuard

From: Larry Seltzer <Larry () larryseltzer com>
Date: Wed, 25 Oct 2006 14:43:27 -0400
The reason kernel hooking is an issue is that in order for an AV or AS

to adequately protect itself from being disabled by malware, it has to
hook the kernel to do so.

Not to get into a semantic argument, but this sounds like intrusion
prevention to me. The actual AV and AS scanning capabilities can be done
entirely through filters. And the APIs Microsoft is talking to security
vendors about creating are essentially a new set of filters for events
involving processes, memory, named objects, and other sorts of things
that HIPS monitors through kernel patching. Too bad it will be a long
time before they're ready.


As a side note, most of these attacks would fail were it not for user

accounts running with administrator privs in the typical home setup. 

Absolutely, and this should definitely be much less of a problem on
Vista where you have to click the "Please Shoot Me" button to get a
privileged user account. The norm will be less-privileged accounts. Of
course if a user installs a new program they download from
who-knows-where and the system says that it needs admin privileges and
the user says yes then only PatchGuard stands in its way.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: